You can grant access to Runtime Defined Entities (RDEs) by sharing them with other system administrators or tenants.

Sharing Defined Еntities with Another User

  1. If you want to grant access to defined entities to tenants, publish the rights bundle of the defined entity type to a tenant organization. For example, for the creation and management of Tanzu Kubernetes clusters, you must publish the vmware:tkgcluster Entitlement rights bundle. See Publish or Unpublish a Rights Bundle.

    If you want to share the defined entity with a system administrator, skip this step.

  2. Assign the View: TYPE, Edit: TYPE, or Full Control: TYPE right from the bundle to the user roles you want to have the specific level of access to the defined entity.

    For example, if you want the users with the tkg_viewer role to view Tanzu Kubernetes clusters within the organization, you must add the View: Tanzu Kubernetes Guest Cluster right to the role. If you want the users with the tkg_author role to create, view, and modify Tanzu Kubernetes clusters within this organization, add the Edit: Tanzu Kubernetes Guest Cluster to that role. If you want the users with the tkg_admin role to create, view, modify, and delete Tanzu Kubernetes clusters within this organization, add the Full Control: Tanzu Kubernetes Guest Cluster right to the role.

  3. Grant the specific user an Access Control List (ACL) by making the following REST API call.

    POST https://[address]/cloudapi/1.0.0/entities/urn:vcloud:entity:[vendor]:[type name]:[version]:[UUID]/accessControls
     {
       "grantType" : "MembershipAccessControlGrant",
       "accessLevelId" : "urn:vcloud:accessLevel:[Access_level]",
       "memberId" : "urn:vcloud:user:[User_ID]"
     }

    Access_level must be ReadOnly, ReadWrite, or FullControl. User_ID must be the ID of the user to which you want to grant the access to the defined entity.

    Users with the tkg_viewer role, described in the example, cannot grant ACL access. Users with the tkg_author or tkg_admin role can share access to a VMWARE:TKGCLUSTER entity with users who have the tkg_viewer, tkg_author, or tkg_admin role by granting them ACL access using the API request.

    You can also use REST API calls to revoke access or to view who has access to the entity. See the VMware Cloud Director REST API documentation on code.vmware.com.

Sharing Administrator Rights to Defined Entities

  1. If you want to grant access to defined entities to tenants, publish the rights bundle of the defined entity type to a tenant organization. For example, for the creation and management of Tanzu Kubernetes clusters, you must publish the vmware:tkgcluster Entitlement rights bundle. See Publish or Unpublish a Rights Bundle.

    If you want to share the defined entity with a system administrator, skip this step.

  2. Assign the Administrator View: TYPE or Administrator Full Control: TYPE right from the bundle to the user roles you want to have the specific level of access to the defined entity.

    For example, if you want the users with this role to view all Tanzu Kubernetes clusters within the organization, you must add the Administrator View: Tanzu Kubernetes Guest Cluster right to the role. If you want the users with this role to create, view, modify, and delete Tanzu Kubernetes clusters in all organizations, add the Administrator Full Control: Tanzu Kubernetes Guest Cluster right to the user role.

    Users with the Administrator Full Control: Tanzu Kubernetes Guest Cluster right can grant ACL access to any VMWARE:TKGCLUSTER entity.

Changing the Owner of a Defined Entity

The owner of a defined entity or a user with the Administrator Full Control: TYPE right can transfer the ownership to another user by updating the defined entity model and changing the owner field with the ID of the new owner.